I want to create an simple XSS. Below is my code
<body>
<script>
function update(){
const message = document.getElementById("message").value;
document.getElementById("show_message").innerHTML = message
}
</script>
<h1 class="title">Cross-Site Scripting</h1>
<div class="input">
<input type="text" id="message"/><br/>
<button type="button" onclick="update()">submit</button>
</div>
<hr/>
<div id="root">
You typed :
<span id="show_message">
</span>
</div>
</body>
Then I tried to type in <script>alert(1);</script>.But it didn't work.
Where's the problem?
The script tag is not going to run because the browser is not going to let you do that. It is EXACTLY there to prevent such XSS attacks.
Anyway, if you want to see it run you can check other answers:
If you just want an input that can run, create one using img
<image/src/onerror=alert(8)>